Ensuring the security of a Linux system is a critical task for any system administrator. This guide outlines key security best practices that can help protect your system from unauthorized access, vulnerabilities, and other security threats.
- Security Philosophy: The principle of least privilege, where users and processes are granted the minimum level of access necessary.
- Security Layers: Combining multiple security mechanisms to provide defense-in-depth.
- Regular Users: Limit the use of the root account for administrative tasks. Use
sudofor commands that require elevated privileges. - Command:
sudo adduser newuser sudo usermod -aG sudo newuser
- Creates a new user and adds them to the
sudogroup.
- Creates a new user and adds them to the
-
Enforce Strong Passwords: Use tools like
passwdto enforce strong password policies. -
Command:
sudo passwd newuser
- Sets or changes the password for a user.
-
Password Aging: Enforce password expiration policies.
-
Command:
sudo chage -M 90 newuser
- Requires the user to change their password every 90 days.
- Command:
sudo nano /etc/ssh/sshd_config
- Set
PermitRootLogintono.
- Set
-
Generate SSH Keys:
ssh-keygen -t rsa -b 4096
- Generates a pair of SSH keys for secure login.
-
Copy Public Key to Server:
ssh-copy-id username@server_ip
- Copies the public key to the server for authentication.
- Command:
sudo nano /etc/ssh/sshd_config
- Change the
Portdirective to a non-standard port (e.g.,Port 2222).
- Change the
- Install Fail2ban:
sudo apt-get install fail2ban
- Protects SSH by banning IP addresses with too many failed login attempts.
-
Enable UFW:
sudo ufw enable- Enables the UFW firewall.
-
Allow SSH:
sudo ufw allow ssh
- Allows SSH traffic through the firewall.
-
Allow Specific Ports:
sudo ufw allow 80/tcp sudo ufw allow 443/tcp
- Allows HTTP and HTTPS traffic.
-
Deny All Incoming Traffic by Default:
sudo ufw default deny incoming
- Denies all incoming traffic unless explicitly allowed.
-
Update Package Lists:
sudo apt-get update
- Updates the package list for upgrades.
-
Upgrade Installed Packages:
sudo apt-get upgrade
- Installs the latest versions of all installed packages.
-
Enable Automatic Security Updates:
sudo apt-get install unattended-upgrades
- Automatically installs security updates.
- Use
logwatch:sudo apt-get install logwatch
- Monitors and summarizes log files for suspicious activity.
-
Install
auditd:sudo apt-get install auditd
- Tracks system calls and file accesses for auditing purposes.
-
Start the Audit Service:
sudo systemctl start auditd
-
Install AIDE:
sudo apt-get install aide
- Monitors file integrity and alerts on unauthorized changes.
-
Initialize the AIDE Database:
sudo aideinit
-
List All Services:
systemctl list-units --type=service
- Lists all active services.
-
Disable a Service:
sudo systemctl disable servicename sudo systemctl stop servicename
- Disables and stops an unnecessary service.
- Install and Enable NTP:
sudo apt-get install ntp sudo systemctl enable ntp sudo systemctl start ntp- Ensures accurate timekeeping, which is crucial for logging and security.
-
Install Cryptsetup:
sudo apt-get install cryptsetup
- Tool for managing LUKS encryption.
-
Encrypt a Partition:
sudo cryptsetup luksFormat /dev/sdX
- Encrypts the specified partition.
-
Open and Use the Encrypted Partition:
sudo cryptsetup luksOpen /dev/sdX crypted_partition sudo mount /dev/mapper/crypted_partition /mnt
Implementing security best practices is essential for maintaining the integrity and safety of your Linux systems. By following these guidelines, you can significantly reduce the risk of unauthorized access and ensure your system remains secure. Regular updates, user management, and network security are key components of a robust security strategy.
Next: System Maintenance
Previous: Networking Configuration